Metrics: More than numbers
By definition, metrics are ‘parameters or measures of quantitative assessment used for measurement, comparison or to track performance or production.’
When it comes to an organization’s network infrastructure, and even its security, metrics are a powerful indicator of how well, or badly, the enterprise is at responding to a given situation.
The reason many organizations fall short when using metrics is miss-communication. IT will often deliver reports detailing user access, permission structures and patch management timetables when justifying additional budgets.
A request for extra storage is made under the guise of gigabytes, terabytes and petabytes. Even orders for desktop computers, tablets and smartphones are complicated by a myriad of confusing acronyms and abbreviations.
While on the surface it all sounds plausible, and perhaps vitally important, what does it actually mean? The reality is, not a lot. Instead, of blindly accepting the proposal, CEOs need to demand comprehensible reports from the IT team, framed against the mission of the organization.
Let’s start by looking at one metric that is often tracked, but has little relevance as a management metric - the cost of the security program. In reality there is little correlation between cost and security. For example, if I halved the security budget would I be half as secure? Or equally if I doubled the budget would I be twice as secure? Of course not - infosecurity doesn’t work like that, unfortunately.
Security is not just the remit of the CISO but is a team effort. Any decisions need to be made with a cross-functional view – senior management, business units, sales, marketing, legal, customer support etc. so that everyone knows the part they play, and IT understand how to weave all the disparate elements together.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.